Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to try 'except' functionality with playbook?

nongingerale
Explorer
‎01-18-2023 12:13 PM

Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet:
I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-19-2023 02:21 AM

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

View solution in original post

Reply
Solved! Jump to solution

CS_
Path Finder
‎01-25-2023 06:32 PM

Yep - just like @phanTom  says - you can check the "status" output for an app action. I would do something like this:

CS__0-1674700162022.png

The decision checks the status of the Splunk "Run Query" app action, if successful; end, Else; send an email.

You can do stiff with "try/except" in regular codeblocks but to be honest they become  a pain to manage in larger playbooks.  I know when i started with playbooks, i had to try and unlearn how I'd do it in python, and think about it in terms of SOAR's playbook capabilities, but I am better off for it 😄

 

Reply
Solved! Jump to solution

nongingerale
Explorer
‎02-14-2023 08:05 AM

that makes sense, thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎01-19-2023 02:21 AM

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

Reply
Solved! Jump to solution

nongingerale
Explorer
‎02-14-2023 08:05 AM

thanks! appreciate the help

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...